HYVOR provides Customers with the Hyvor Talk commenting system. Hyvor Talk 
collects personal data from users who visit and choose to comment on the websites 
that load Hyvor Talk. Hyvor Talk provides the ability for Customers to access these 
personal data to some level. 


This Data Processing Agreement (“Agreement”) is an addendum to our Terms of 


Service of Hyvor Talk and is signed between 


HYVOR: 

11 RUE CARNOT 

94270 LE KREMLIN-BICETRE 
FRANCE 

(the “Company”) and 


(the "Customer") 


The parties agree as follows: 


Definitions 


e “You”, "Company", or “Customer” means the company or organization that uses 
Hyvor Talk on their website and signs this contract. 

e “EEA” means the European Economic Area; 

e “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into 
domestic legislation of each Member State and as amended, replaced, or 
superseded from time to time, including by the GDPR and laws implementing or 
supplementing the GDPR; 

e “GDPR” means EU General Data Protection Regulation 2016/679; 


e “Agreement” means this Data Processing Agreement and all Schedules; 


e "Subprocessor” means any person appointed by or on behalf of Processor to 
process Personal Data on behalf of the Company in connection with the 
Agreement. 

e “Data controller”, "Data processor”, "Data subject”, "Personal data” and 
“Processing” shall be interpreted in accordance with applicable Data Protection 
Legislation. 


e "Terms" means Hyvor Talk Terms of Service. 


Applicability of DPA 


This DPA applies where and only to the extent that Hyvor Talk Commenting System 
(talk.hyvor.com) processes Personal Data on your behalf in the course of providing the 
Services and such Personal Data is subject to Data Protection Laws of the European 
Union, the European Economic Area and/or their member states, Switzerland and/or the 
United Kingdom. The parties agree to comply with the terms and conditions in this 


DPA in connection with such Personal Data. 


This DPA only applies to the Hyvor Talk Service of HYVOR. 


Roles and Responsibilities 


Hyvor Talk and Customer both act as a Data Controller. User data collection depends 
on whether the Customer uses Single Sign-on. EXHIBIT 1 of this document describes 


data that Hyvor Talk collects and makes available to the Customer. 


Both parties shall be responsible for ensuring they have complied, and will continue to 
comply, with all applicable laws relating to privacy and data protection, including but 


not limited to the EU Data Protection Legislation 


Customers shall process the Personal Data for the purposes described in EXHIBIT 1, 


except where reguired by applicable law. 


Security 


Customer shall integrate Hyvor Talk on their websites securely using the best practices 
mentioned in our documentation. Customer shall securely communicate with Hyvor 
Talk when transmitting personal data (ex: Single Sign-on). Customer shall implement 
other appropriate technical and organisational measures to protect the Personal Data 
from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or 


access. 


Taking into account the state of the art, the costs of implementation and the nature, 
scope, context and purposes of Processing as well as the risk of varying likelihood and 
severity for the rights and freedoms of natural persons, Processor shall in relation to 
the Company Personal Data implement appropriate technical and organizational 
measures to ensure a level of security appropriate to that risk, including, as 


appropriate, the measures referred to in Article 32(1) of the GDPR. 


In assessing the appropriate level of security, Processor shall take account in particular 
of the risks that are presented by Processing, in particular from a Personal Data 


Breach. 


Personal Data Breach 


HYVOR shall notify Customer without undue delay upon becoming aware of a 
Personal Data Breach affecting Customer Personal Data, providing Customer with 
sufficient information to allow the Customer to meet any obligations to report or inform 


Data Subjects of the Personal Data Breach under the Data Protection Laws. 


HYVOR shall co-operate with the Customer and take reasonable commercial steps as 
directed by Customer to assist in the investigation, mitigation and remediation of each 


such Personal Data Breach. 


Data Protection Impact Assessment and Prior Consultation Processor shall provide 
reasonable assistance to the Customer with any data protection impact assessments, 
and prior consultations with Supervising Authorities or other competent data privacy 
authorities, which Customer reasonably considers to be reguired by article 35 or 36 of 


the GDPR or eguivalent provisions of any other Data Protection Law, in each case 


solely in relation to Processing of Customer Personal Data by, and taking into account 


the nature of the Processing and information available to, the Contracted Processors. 


Data Subject Rights 


HYVOR shall promptly notify Customer if it receives a reguest from a data subject 
under any Data Protection Laws in respect of Personal Data, including reguests by a 
data subject to exercise rights in Chapter III GDPR, and shall provide full details of that 
reguest. HYVOR shall reasonably co-operate as reguested by Customer to enable 
Customer to comply with any exercise of rights by a data subject under Chapter III 


GDPR in respect of Personal Data. 


Deletion of data 


Upon termination or expiry of the Agreement, Customer shall delete the Personal Data 
(including copies) then in Customer's possession, except to the extent that Customer is 


reguired by applicable law to retain some or all of the Personal Data. 


Sub-Processing 


Customer hereby provides general authorization for HYVOR to subcontract the 
Processing of Personal Data to Subprocessors. HYVOR shall be liable for the acts and 
omissions of its Sub-processors to the same extent as if the acts and omissions were 
performed by HYVOR. 


The current list of Sub-processors can be found on the EXHIBIT 2 of this document. An 
up-to-date list is available at the public online version of this DPA at 
https://talk.hyvor.com/docs/dpa. 


If Customer has legitimate reason under Data Protection Laws to object to a new 
Sub-processor, Customer shall provide written notice of such objection to HYVOR. If 


Customer objects, HYVOR and Customer will discuss a commercially reasonable 


resolution. If no commercially reasonable resolution can be reached within thirty (30) 
days, either party may terminate the applicable Services that cannot be provided by 
HYVOR without the use of the objected Sub-processor. 


Security Reports and Audits 


HYVOR shall maintain records of its security standards. HYVOR shall further provide 
written responses (on a confidential basis) to all reasonable reguests for information 
made by you, including responses to information security and audit guestionnaires, that 
you (acting reasonably) consider necessary to confirm HYVOR's compliance with this 


DPA, provided that you shall not exercise this right more than once per year. 


International Transfers 


HYVOR stores and processes data of all Customers within the European Union in data 
centers in Frankfurt, Germany. HYVOR shall implement appropriate safeguards to 
protect the Personal Data in accordance with the reguirements of Data Protection 


Laws. 


HYVOR acknowledges that Customer may disclose the privacy provisions in this DPA 


and the Terms to any judicial or regulatory body upon their lawful reguest. 


General Terms 


Except as amended by this DPA, the Terms of Service will remain in full force and 
effect. If there is a conflict between the Terms of Service and this DPA, the terms of 
this DPA will control. 


The DPA is effective as of the 1st of July and replaces and supersedes any previously 
agreed data processing agreement between you and Hyvor Talk relating to the GDPR. 
Termination or expiration of this DPA shall not discharge the parties from the 


confidentiality obligations herein. 


HYVOR 

Signature: 

Name: Supun Wimalasena 
Title: Founder & CEO 
Date: 

Customer 

Signature: 

Name: 

Title: 


Date: 


EXHIBIT 1 - Data Processing Details 


Hyvor Talk is operated by HYVOR and provides a commenting system for the 


Customer to use on their websites and applications. Visitors may react, vote, and 


comment within the comments section, which reguires authentication and collection of 


personal data. Customer may select one the following authentication methods: 


1. Hyvor Login (at hyvor.com) 
2. Single Sign-on (SSO) 


How data is 


collected 


What data 
can 
Customer 


Access 


Deleting 
Data 


Hyvor 


User data is collected at 
hyvor.com when the User creates 
an account. HYVOR will share 
name, username, IP address, and 
other profile-related public data 


to the Customer. 


Name, username, IP address, 
activity (comments, reactions, 


etc.) on Customer's website 


The User can delete their Hyvor 
account, which will delete their 
personal details. The Customer 
can delete activity on their 

website, but cannot delete user 


accounts. 


SSO 


User data is collected by the 
Customer on their website, and 
then shared with Hyvor Talk 
securely using HMAC digital 
signatures. The Customer agrees 
that they have the right to share 


All personal data shared with 
Hyvor Talk, activity on Customer's 
website. 


Email reguest or API 


Customer can disable IP Address collection through the Moderation Console. 


EXHIBIT 2 - Sub-Processors 


Entity Name Sub-processing activities Terms Entity country 

DigitalOcean, LLC1 Cloud Hosting & Storage Terms USA 

Cloudflare CDN Terms USA 

Mailgun2 Email Service Provider Terms USA 

Akismet Spam Detection Terms USA 

OOPSpam Spam Detection Terms USA 

Helpspace Customer Email Support Terms Germany 
Featurebase Feedback Software Terms Estonia 
Splitbee Analytics Terms Austria 


e We only utilize DigitalOcean's data centers in Europe 
e Mailgun is configured for short-lived logs and no-tracking 


